On Fri, 22 Feb 2008 15:21:29 -0500, Gregory, Gary G <[EMAIL PROTECTED]> wrote: >Another way is to issue a RACROUTE REQUEST=EXTRACT and specify the UACC >and/or USERACS fields on the extract FIELDS parameter list. > >Refer to the RACROUTE Macro Reference appendix-B. > >That's what we did on last year when we developed the SAF Interface for >CA Tape Encryption. (Of course, if I'm wrong I'll let Russ bail me >out). >
The obvious disadvantages of that approach, of course, are that it burdens you with processing groups to determine the users they contain, and of processing conditional access lists to see if they apply. And it bypasses GLOBAL processing, which an administrator may have decided to use to grant accesses. And you can get the wrong answer for general resource classes (if they're RACLISTed and you make the request the wrong way) or for data sets (if their generic profile is already in storage but the profile has changed on the database). But other than that, and anything else I've forgotten at the moment, and anything we add in the future, I suppose it's an approach you could use. I wouldn't, though. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
